[buug] xtreelic, maitrd, busboy, and garcon
Patrick Soltani
PSoltani at iitcorporation.com
Thu Feb 5 18:12:49 PST 2004
I always assume the worst ;-).
Since your machine is linux run the following:
"netstat -nap"
check for the daemon/port number. If you haven't set it up, kill it.
what's the result of "ls -/" or "ps -/". if anything other than help pages, then you're likely have been trojaned.
Check the file sizes for "ps, ls, tcpdump, netstat login sh/bash" with a good copy.
you can do "lsof -p PID" get the PID from the netstat above for the processes you're concerned with, would tell more about your processes.
The answer from lsof could be reused with rpm -qf /path/to/file to see if it's part of any rpm package or a rouge install, or remote shell toolkit, RST.
Finally get the http://www.chkrootkit.org/ and install it, run and see the output.
Regards,
Patrick Soltani.
> -----Original Message-----
> From: buug-admin at weak.org [mailto:buug-admin at weak.org]On Behalf Of
> Joseph Zitt
> Sent: Thursday, February 05, 2004 1:53 AM
> To: buug at weak.org
> Subject: [buug] xtreelic, maitrd, busboy, and garcon
>
>
> http://crypto.yashy.com/nmap.php which apparently runs nmap againt the
> machine that calls it, reported the following ports as open
> on my RedHat
> 9 box:
>
> PORT STATE SERVICE
> 22/tcp open ssh
> 80/tcp open http
> 996/tcp filtered xtreelic
> 997/tcp filtered maitrd
> 998/tcp filtered busboy
> 999/tcp filtered garcon
>
> I'm puzzled by the latter four entries, since they're not anything I'm
> familiar with. Googling suggests that maitrd has something to do with
> remote process invocation, but that's from a paper written in
> 1990 that
> may or may not be relevant.
>
> Does anyone know what these are? Is there any way to find out what
> programs use them? Should I be worried, and should I close them?
>
> _______________________________________________
> Buug mailing list
> Buug at weak.org
> http://www.weak.org/mailman/listinfo/buug
>
More information about the buug
mailing list